ChecklistEU

EU Digital Services Act (DSA) Checklist

A checklist you can run per service and tier - and reuse for audits and enforcement questions.

Structured as teams execute: scope -> workflows -> reporting -> tier upgrades (marketplace, VLOP/VLOSE).

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

DSA compliance is a program, not a one-time policy update. Use this checklist per service (you may operate multiple services) and per tier (intermediary/hosting/platform/marketplace/VLOP). Each checklist item should have an owner, acceptance criteria, and evidence you can retrieve later.

Section 1

Checklist A - Scope memo and tiering (the "defensible baseline")

Before you build controls, lock your classification and tier assumptions.

This prevents scope drift and ensures you implement the right obligation set.

  • Inventory each service: features, recipients, and EU offering facts.
  • Classify per service: intermediary -> hosting -> online platform -> marketplace/search engine.
  • Document micro/small status analysis (if claimed) and exceptions/overrides.
  • Define tier trigger metrics: AMAR calculation approach (Article 24) and VLOP/VLOSE threshold monitoring (Article 33).
  • Produce a requirements matrix: Article -> obligation -> control -> owner -> evidence -> reporting cadence.
Recommended next step

Turn EU Digital Services Act (DSA) Checklist into an operational assessment

Assessment Autopilot can take EU Digital Services Act (DSA) Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU Digital Services Act (DSA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU Digital Services Act (DSA) Checklist

Start from EU Digital Services Act (DSA) Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU Digital Services Act (DSA)

Review your current process, evidence gaps, and next steps for EU Digital Services Act (DSA) Checklist.

Explore next step
Section 2

Checklist B - Terms, contact points, and operational readiness

Baseline obligations are operational: recipients must be able to reach you and understand how moderation works.

These are foundational because they appear in multiple reporting and redress pathways.

  • Single point of contact for recipients is user-friendly and not solely automated (Article 12).
  • If not established in the EU and offering services in the EU, designate a legal representative and publish contact details (Article 13).
  • Update terms and conditions to disclose content moderation policies, procedures, measures, and tools (including algorithmic decision-making + human review) in clear, plain, machine-readable format (Article 14).
  • Build change management: recipients are informed of significant terms changes (Article 14(2)); minors-friendly explanations where relevant (Article 14(3)).
Section 3

Checklist C - Hosting workflows: notice & action + statement of reasons

If you host user-provided information, your first engineering deliverable is a notice & action system plus explainability for restrictions.

Treat these as compliance workflows with SLAs, audit logs, and QA.

  • Notice intake mechanism is electronic, easy to access, user-friendly (Article 16(1)).
  • Notice form captures required elements (Article 16(2)): reasons, exact location (URLs), notifier identity (with narrow exception), and good-faith statement.
  • Processing is timely, diligent, non-arbitrary, objective; automation use is disclosed in notifications (Article 16(6)).
  • Notifiers receive receipt confirmation and decision notification with redress options (Article 16(4)-(5)).
  • Affected recipients receive a clear, specific statement of reasons for restrictions (Article 17) including grounds, facts, automation use, and redress options.
  • Criminal threat reporting process exists for serious suspected offences (Article 18).
Section 4

Checklist D - Platform layer: transparency reporting + interface integrity

Online platforms carry additional transparency and integrity duties, often requiring data pipelines and UI changes.

Make reporting a product: define data owners, validation, and sign-off.

  • Annual transparency report (Article 15) is produced and published; covers orders, notices, complaints, automated moderation, and error/accuracy indicators.
  • If you are an online platform: include Article 24 additions (out-of-court dispute settlement metrics, suspensions) and publish AMAR every 6 months (Article 24(2)).
  • Submit Article 17 statements of reasons for inclusion in the Commission database (Article 24(5)), ensuring no personal data is included.
  • Interface is designed to avoid manipulative patterns (Article 25): termination not harder than subscription, no repeated coercive popups, etc.
  • Ads transparency (Article 26) and recommender transparency (Article 27) controls are implemented if applicable.
Section 5

Checklist E - Marketplace layer (distance contracts with traders)

If consumers can conclude distance contracts with traders, trader traceability and compliance-by-design become core controls.

Plan for KYC-like onboarding, verification, suspension, retention and deletion.

  • Trader onboarding collects Article 30 information (identity/contact, register IDs, payment account details, self-certification).
  • Best-effort reliability checks are implemented using official databases and supporting documents (Article 30(2)).
  • Suspension workflow for missing/inaccurate trader info exists (Article 30(2)-(3)) and complaint path is documented (Article 30(4)).
  • Consumer-facing trader info is displayed on listings (Article 30(7)).
  • Interface enables traders to provide required product safety/compliance information (Article 31) and supports random illegality checks (Article 31(3)).
  • Consumer notification/redress workflow exists when illegal products/services are discovered (Article 32).
Section 6

Checklist F - VLOP/VLOSE layer (systemic risk, audits, and enhanced transparency)

VLOP/VLOSE compliance is a governance and risk-management program with an annual audit cycle.

If you could be designated, build the calendar and evidence model early.

  • AMAR methodology is defensible and published at least every 6 months (Article 24(2)); prepare for Commission requests (Article 24(3)).
  • Risk assessment is completed at designation application date and at least annually; repeated before major feature launches (Article 34).
  • Risk mitigation measures are defined, owned, and monitored (Article 35) with a clear measurement plan.
  • Independent audit is performed and an audit implementation report is produced (Article 37).
  • Enhanced transparency reporting cadence is established (Article 42): at least every 6 months plus publication of risk assessment, mitigation, audit and implementation reports (with confidentiality carve-outs).
  • Recommender non-profiling option exists for each recommender system (Article 38) and ad repository exists with search tool + APIs (Article 39).
Section 7

Checklist G - Enforcement readiness (the evidence pack)

Enforcement risk drops when you can explain your decisions and produce evidence quickly.

Build an evidence pack that maps to workflows and reporting outputs.

  • Policy evidence: terms transparency, moderation policies, redress policies, marketplace policies.
  • Workflow evidence: notice processing logs, decision timestamps, statement-of-reasons records, appeals outcomes.
  • Reporting evidence: dataset definitions, QA checks, sign-offs, and published reports.
  • Security and privacy: ensure DSA submissions (e.g., statement-of-reasons database) exclude personal data where required.
  • Governance: owners, RACI, review cadence, and change management for scope and control updates.
Primary sources

References and citations

Related guides

Explore more topics

DSA Ads & Recommender Systems | Article 26, 27, 38 & 39 Compliance
A deep compliance guide for DSA advertising and recommender system obligations: ad transparency (Article 26), recommender system transparency (Article 27).
DSA Applicability Test | Is the EU Digital Services Act Applicable to You?
A step-by-step applicability test for the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): EU offering triggers.
DSA Enforcement & Investigations | DSCs, Commission Powers, Audits & Procedures
A practical guide to DSA enforcement (Regulation (EU) 2022/2065): how Digital Services Coordinators (DSCs) supervise services.
DSA Notice & Action Workflow | Article 16 Requirements + Templates
A deep implementation guide for DSA notice & action (Regulation (EU) 2022/2065, Article 16): intake design, required notice elements.
DSA Penalties & Fines | Digital Services Act Enforcement Exposure (6% / 1% / 5%)
How DSA penalties work under Regulation (EU) 2022/2065.
DSA Transparency Report Template | Article 15 + Article 24 + VLOP Article 42
Copy and paste ready DSA transparency report template aligned to Regulation (EU) 2022/2065 and Implementing Regulation (EU) 2024/2835.
DSA Transparency Reporting | Articles 15, 24 & 42 Reporting Requirements
A practical guide to EU Digital Services Act transparency reporting: what to publish for Article 15, what to add for Article 24.
DSA vs DMA | Digital Services Act vs Digital Markets Act (What's the Difference?)
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the EU Digital Markets Act (DMA.
DSA vs UK Online Safety Act | EU vs UK Online Safety Compliance
A practical comparison of the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and the UK Online Safety Act: scope (EU recipients vs UK users).
EU Digital Services Act (DSA) Requirements | Obligations by Service Type & Tier
A practical breakdown of DSA requirements (Regulation (EU) 2022/2065): obligations for intermediary services, hosting services, online platforms.
EU DSA Compliance Guide | Digital Services Act Implementation Playbook
A practical EU Digital Services Act (DSA) compliance guide for Regulation (EU) 2022/2065: scope memo and tiering.
EU DSA Deadlines & Compliance Calendar | Key Dates, Cadence and Milestones
A DSA compliance calendar for Regulation (EU) 2022/2065: entry into force, general applicability, Digital Services Coordinator designation, Article 15, 24.
EU DSA FAQ | Digital Services Act Questions & Answers (Practical)
Practical answers to the most searched EU Digital Services Act (DSA) questions: who is in scope, what "hosting" and "online platform" mean.
EU DSA Service Types & Scope | Hosting vs Platform vs Marketplace
How to classify your service under the EU Digital Services Act (DSA, Regulation (EU) 2022/2065): intermediary service types (mere conduit, caching, hosting).
VLOP/VLOSE Systemic Risk Assessment (DSA) | Articles 34-36 + Mitigation
A deep guide to DSA systemic risk management for VLOPs/VLOSEs: how to run the Article 34 systemic risk assessment (risk categories, frequency.